Possible to use certificate on smart card and computer for Wired 802.1x?
Hi We currently looking in to use authentication method for different type of certificates stored on a smart card and on a local computer certificate store. The method would be that as we boot up a computer the computer would authenticate the 802.1x on the switch using the local computer certificate and would then open up a connection without being forced to login to the computer. However as we use a smart card which have a user issued certificate and logs in to a computer we would then want a new 802.1x authenticated but instead of using a local computer certificate we would want the authentication to be used on a certificate stored on the smart card. Is this something which is possible because as we look on to both group policies configurations and on a local computer at the interface we can only choose either to use a certificate from a smart or a local computer, not both. Our goal is to use from both sources in different scenarios as described above. Regards Alexander Berg
July 8th, 2010 1:00pm

Hi, I would like to provide the following documents for your reference: Windows Smart Card Technical Reference What's New in Certificates Best Regards DalePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2010 8:45am

Hi We seem to found a solution to this and just simple activated an hotfix with a registry value as with the following steps. Computer authentication cannot complete successfully when you use a smart card to log on to a wireless network in Windows XP or... "What if you need to use a machine certificate on the machine (soft token) for machine authentication and a user certificate on a smart card for user authentication." The issue is that same EAP configuration is user for both machine and user authentication. If a user configures EAP-TLS (with Smartcard option), both machine and user authentication will be performed using smartcards. Machine authentication using smartcard is not possible because it accessing smartcard will require PIN and during machine auth, we have no way to show the pin dialogue while doing machine auth(there is no user logged in). As a result, machine authentication is broken if someone wants to user smartcards for user authentication. "To enable this hotfix, follow these steps: 1. Click Start, click Run, type regedit, and then click OK. 2. Locate and then click to select the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 3. After you select the key that is specified in step 3, on the Edit menu, point to New, and then click DWORD Value. 4. Type UseSoftTokenWithMachineAuthentication, and then press ENTER. 5. Right-click UseSoftTokenWithMachineAuthentication, and then click Modify. 6. In the Value data box, type 1, and then click OK. 7. Quit Registry Editor. However a minor issue due to when we activated single sign on for wired 802.1x it tries to connect to the network but fails thus leaving an error message "unable to connect to the network" and then logs on after the specified network delay and it swaps to user certificate. It works for everything, first computer certificate and then user certificate and single sign on but the error message shows wrong information. Any idea how to hide, suppress or how to make this network connection work. Regards Alexander Berg
August 19th, 2010 11:59am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics